SlideShare a Scribd company logo

NHIN Privacy & Security

Brian Ahier
Brian Ahier

Implementing Advanced Security and Privacy in the Nationwide Health Information Network (NHIN)

TechnologyHealth & Medicine
1 of 50
Download to read offline
Implementing Advanced Security and Privacy in the Nationwide Health Information Network (NHIN) Presentation to Health Information Technology Policy and Standards Committees John (Mike) Davis David Staggs (SAIC) June 17, 2010 Department of Veterans Affairs
Agenda Introduction Foundations Implementation Demonstration Summary 2
Virtual Lifetime Electronic Record On April 9, 2009, President Obama directed the Department of Defense and the Department of Veterans Affairs to create the Virtual Lifetime Electronic Record: “… will ultimately contain administrative and medical information from the day an individual enters military service throughout their military career and after they leave the military.” -President Barack Obama 3
Virtual Lifetime Electronic Record Strategy  Allow health care providers access to Servicemembers’ and Veterans’ health records, in a secure and authorized way, regardless of whether care is delivered in the private sector, by Department of Defense (DoD), or VA  More efficient, effective, and timely than creating a single DoD/VA system – Builds on existing DoD and VA Electronic Health Record capabilities – Solves the need to share information with the private sector – Not a large acquisition program – Avoids obsolescence as Electronic Health Record systems modernize 4
Business Case for Health Information Sharing Nationwide Health Information Network: San Diego Project News Report  Electronic processes replace paper-based health information requests saving weeks or months  Advanced security and privacy mechanisms ensure appropriate access to patient records  Patients have the option to allow or prevent sharing of some of their information 5
NHIN San Diego Physical Deployment (To-Be) ADI=Access Control Decision Information CDS=Clinical Data Services HDR=Health Data Repository MPI=Master Patient Index NHIN=Nationwide Health Information Network PDP=Policy Decision Point PEP=Policy Enforcement Point ROI=Release of Information RPC=Remote Procedure Call WS=Web Services XACML=eXtensible Access Control Markup Language 6
View of Summary of Care Record (C32) 7
Foundations 8
Bottom Up Innovation Within a Coordination Framework * Today’s story is built on the backbone of a coordination framework applied to security and privacy * Interoperability Framework Overview, Douglas Fridsma, MD, PhD, March 24, 2010 9
Top Health Care System Security Requirements  Security and privacy infrastructure for end-to-end data sharing  High-assurance person identifiers across federated domains  Organizational and personal policy enforcement  User accountability for potential security events (audit)  Security assurance, interoperability through standards, common processes, and system certification 10
Patient Privacy Requirements Key Concept: Enforce both Consumer and Enterprise Privacy policy with Common Security Services  Enforcing consumer privacy policy is a security concern  Agreement to enforce privacy is a business decision/contract with consumer  Basic consumer privacy policies both control access and constrain security 11
Web of Standards and Related Organizations •Certification Profiles NHIN •NHIN Updates HL7 CCHIT •Health care IHE Profiles OASIS •CDA Consent Directive ASTM •Healthcare Functional Role Standard CPP Access Control •SAML, XACML, WS- •SOA Security and Privacy •Security/Privacy Info ModelsSystem Trust Profiles •Privacy Confidentiality Codes •Privilege Management •HL7 Service Aware Architecture •Structural Roles ISO HITSP •Authorization/Privacy via US TAG Preference standards and Mike Davis Interface Specifications •Privilege Management Office of Health Information, Security Architect •Structural and Functional ANSI- Roles, +++ April 20, 2010 INCITS Text Color Key NIST Demos •Standards •RBAC Standard •RBAC Implementation •FIPS/Special •Models/Draft standards Publications CDA=Clinical Document Architecture ISO=International Standards Organization SAML=Security Assertion Markup Language FIPS=Federal Information Processing Standard NIST=National Institute of Standards & Technology SOA=Service Oriented Architecture HL7=Health Level 7 OASIS=Organization for the Advancement of Structured XACML=eXtensible Access Control Markup Language HITSP=Healthcare Information Technology Information Standards Standards Panel RBAC=Role Based Access Control NHIN=Nationwide Health Information Network Structured Information Standards 12
Leveraging Standards Organizations Key Concept: Meet interoperability requirements with standards, their profiles, and shared information models 1/08 1/09 1/10 Building Consensus Balloting Standards ASTM=American Society for Testing and Materials OASIS=Organization for the Advancement of Structured Information Standards DHHS=Department of Health and Human Services RBAC=Role Based Access Control HL7=Health Level 7 HITSP=Healthcare Information Technology NHIN=Nationwide Health Information Network 13
Conduct Interoperability Demonstrations Key Concept: Validate approach through interoperability demonstrations (reference implementations and testing) • RSA Conference March 2010 – Multi-vendor demonstration of NHIN Connect Security & Privacy • HIMSS Apr 2009 – First end-to- end demonstration of privacy consents and access control • London Conference Oct 2008 – Extensions to the RSA demonstration adding SAML • RSA Conference April 2008 – Multi-vendor demonstration of OASIS XACML profile Clinical roles and permissions: Clinician least privilege Emergency access: Granting extraordinary access during events involving risk of potential death or injury Patient consent directives: Patient driven authorizations to personal health information use and disclosure Health care security policy: Health care specific business rules for application behavior and patient safety HIS=Health Information System XACML= eXtensible Access Control Markup NHIN=Nationwide Health Information Network Language SAML=Security Assertion Markup Language 14
Advanced Concept Demonstrations Protecting the Human Genome - RSA 2010 Patient Access Control System PHR Service Patient Policy Patient has ability to view their Genotype Constrains access and determine whether to deny access to to specific AT-RISK PIP all or portions of it. SNPs based on Policy characteristics and/or disease PDP PEP grouping Provider Request for Constraints Patients genotype Assertion Consumption Visibility To Patient Clinical Obligation Adaptive Services Response XSPA Enabled Service Provider Continuous Re-validation of Patient Policy Intent Original Mapping Genome Wide Association Studies Service Patient’s GWAS Genotype New diseases and GWAS=Genome-wide Association Study characteristics PDP=Policy Decision Point are mapped PEP=Policy Enforcement Point PHR=Patient Health Record Multiple Organizations PIP=Policy Information Point Contribute Findings SNIP=Single Nucleotide Polymorphism XSPA=Cross-enterprise Security and Privacy Authorization Trusted/Clinically relevant providers 15
Global Participants System and Participant Locations RSA 2008 – San Francisco, CA Oasis XACML InterOp Demonstration – Ditton Manor, London, UK HIMSS 2009 – Chicago, IL RSA 2010 – San Francisco, CA 16
Implementation 17
Reference Model Overview GW=Gateway PEP=Policy Enforcement Point ROI=Release of Information Office 18
Consumer Privacy & eConsent 19
Wife of a Wounded Warrior Sarah Wade Video: http://www.youtube.com/watch?v=wrgHtc5DKIM Testimony: http://veterans.house.gov/hearings/Testimony.aspx?TID=598 28&Newsid=567&Name=%20Sarah%20%20Wade 20
Veteran eConsent Task Goal • Provide Veterans with a simple way to create, electronically sign, and communicate their personal privacy preferences: • From their home, at a VA Hospital Kiosk, or anywhere else • To encourage and support participation in NHIN • Replace cumbersome paper-based systems • Meet ONC Consumer Preference Requirements • Veterans are VA’s consumers, but goals apply equally to all NHIN providers NHIN=Nationwide Health Information Network ONC=Office of the National Coordinator 21
Meet ONC Consumer Preferences Requirements Consumers should be able to: Define permissions for who is permitted to access information Express how their health information would be made available Authorize release of their health information Establish various types of consumer preferences (consents, advance directives, etc.) Define privacy preference conditions including:  By type of information (all data, segmentation of data)  By role and criteria based access, including type of encounter, embargoed records (VIP, legal restrictions)  By time (start, end, duration)  By level of participation (opt-in, opt-out, with or without additional classifications, with or without additional Fully meets granularity) NHIN=Nationwide Health Information Network Partially meets  By purpose of use ONC=Office of the National Coordinator VIP=Very Important Person Does not meet 22
Patient Viewpoint (to-be) Consent Directive 23
VA Forms Supporting eConsent Policies 24
eConsent Signature Service Framework Electronic Forms Signature Repository Service  Approval Authentication Demographic Service 1 2 Service User Input 3 Signature is Veteran bound to Patient document 25
Leverages HL7 Consent Directive Analysis Model - allow/disallow action Medical Record - purpose of Privacy Policy Reference consent Reference - effective period - Patient Identification - additional - Medical Record conditions Identification Action Specification - hierarchy of operations applied to information Information Sender Health Information Affected - Organization - Related to a diagnosis Information - Data Sensitivity Receiver - Coverage Type - Role - Type of information (e.g., - Identity results) 26
Privacy Management 27
Release Of Information (ROI) Consent Reconciliation 28
29
Consumer Preferences Selection (To-Be)–Initiate/Revoke MHV=MyHealtheVet ROI=Release of Information VAMC=VA Medical Center 30
Security Management 31
Security Management  Provide control and management of security mechanisms providing security services  Control and provision of enterprise security policy identity and authorizations (IAM) and other security information  Generate configuration data, cryptographic keys  Provide security management for logging of security relevant events, recovery and support for breach reporting 32
Assigning and Provisioning Roles AUDIOLOGIST Anesthetist (CRNA) 022 MD/Allopath 001 Audiologist 309418004 011 Licensed 023 Naturopath (NP) DENTAL Vocational Nurse 024 Pathologist 61207006 002 Dental 26042002 (LVN)/ Licensed 025 Podiatrist 159034004 Hygienist/Registered Practical Nurse (DPM) Dental Hygienist (LPN) 026 Psychiatrist 80584001 (RDH) 012 Nurse Midwife 027 Radiologist 66862007 003 Dentist 106289002 (NM) 028 Physician 004 Oral Surgeon 49993003 013 Nurse 224571005 Assistant (PA) DIETITIAN (RD) Practitioner (NP) 029 Psychologist 59944000 005 Dietitian (RD) 159033005 014 Registered 224535009 030 Social Worker NON-WESTERN Nurse (RN) (LCSW) 106328005 MEDICINE OPTOMETRIST 031 Speech PROVIDERS (OD) Pathologist 006 Certified 015 Optometrist 28229004 Acupuncturist (CA) (OD) 007 Licensed PHARMACIST ASTM E1986-2009 Massage Therapist 016 Pharmacist (LMT)/ Registered 46255001 (Includes 166 Codes) Massage Therapist 017 Pharmacist, 159011008 (RMT) Apothecary NURSE 018 Pharmacist, 159010009 008 Nurse 224569005 Clinical Corresponding 009 Clinical Nurse PHYSICIAN SNOMED CT Code Specialist (CNS) 019 Chiropractor 3842006 106292003 (DC) 010 Clinical 405278004 020 Osteopath (DO) 76231001 Registered Nurse 021 Homeopath 33
VA Identity and Access Management Identity Proofing – Standardized Proofing Process Correlate & Proofing Service BIRLS Store Provider Proofing LMS Repository Veterans Other Sources PIV (SSA, OPM, etc.) VADIR Identity Proofing Process Beneficiaries Verify & Provide PAID Administer Check Capture Identity Identity Identity Identity Information Healthe -Vet Employees VA Trusted Agent Vista MPI Contractors VIC Card E- Issuance Benefits Process ETA/ PIV Card IFCAP Affiliates Veterans & Process Smith, Patricia Beneficiaries PIV E-Auth Employees, Credentialing Contractors, Process & Affiliates BIRLS=Beneficiary Identification and Records LMS=Learning Management System VADIR=VA/DoD Identity Repository Locator System MPI=Master Patient Index VIC=Veteran Identity Care eBenefits=Electronic Benefits PAID=Personal and Accounting Integrated Data VISTA=Veterans Health Information Systems and ETA/IFCAP=Integrated Funds Control, Accounting, System Technology Architecture and Procurement PIV=Personal Identity Verification 34
Access Control Service 35
Consumer Preferences and Policy (CPP) SOA High-Level Framework HITSP TP20 Access Control, TP30 Manage Consent Directives, OASIS XSPA SAML, WS-TRUST HITSP=Healthcare Information Technology TP=Transaction Package Standards Panel XACML=eXtensible Access Control Markup Language OASIS=Organization for the Advancement of Structured Information Standards SAML=Security Assertion Markup Language 36
OASIS XSPA SAML Attribute Assertion Attributes use to enforce security and privacy in an XSPA cross-enterprise exchange of patient data Organization Location SubjectID Purpose of Use Role (S) Role (F) Permission 1 {Action, Object} (User) (POU) Permission 2 {Action, Object} POU Permission 3 {Action, Object} POU Permission …N {Action, Object} Functional Role Described in XSPA Refer to Unique identifier profiles and mutually Structural Role ANSI-INCITS 359-2004 Compliant specific to a given agreed upon by Refer to [HL7-PERM] entity. participating entities. [ASTM E1986-98 (2005)] 37
Implemented Security and Privacy Policies • Demonstrate the Enforcement of Patient Consent Directives • Opt-In / Opt-Out • Deny Access based on Organizations • Deny Access based on Role • Deny Access based on Purpose of Use* • Deny Access to Specific Providers • Mask C32 Results based on Role (future release)** • Mask C32 Results for Specific Providers (future release)** • Mask C32 Results based on data sensitivity (not supported) • Demonstrate the Enforcement of Organizational Policies • Limit access to specific organizations • Limit access during specific hours of the day • Require certain roles based on purpose of use and service requested • Require certain permissions based on purpose of use and service requested * Demonstration only. Current model is single purpose of use **Future capability. Requires ability of Adaptor to accept obligation 37
Current State  Nationwide Health Information Network Connect provides a basic Policy Decision Point (PDP) • Jericho Systems PDP with 12 pre-filled policies • Used in interoperability demonstrations  Can be used to deploy, test, and benchmark any provider’s solution 39
Demonstration 40
Advanced Technology Demonstration Clinicians request patient information with access control enforced by security and privacy policies Can constrain access to many Cross-domain patient types of health care objects Discovery menu Clinical Summary (below) reflects provider domain’s security and privacy policies 41
Advanced Technology Demonstration (Provider) Recent standards allow patients and organizations improved security and privacy control over medical records Patient must opt-In before their record is exchanged Patient can constrain the domains that have access to their records Patient can set general restrictions through use of HL7 Confidentiality Codes Patient can set specific restrictions to specific roles based on Purpose of Use, or Constrain Access of Specific Providers Patient can mask specific portions of the medical record on Role or a Specific Provider 42
Advanced Technology Demonstration (Requester) Clinicians now have access to patients’ records with appropriate access control enforced by both domains. User may assert Purpose of Use as Emergency Treatment. Cross-domain patient Discovery menu 43
XACML Policy Examples - Patient Denial based on subjects ASTM structured role: <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting:role" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny- overrides"> Opt-IN <Description>Denies the request from the subject if their role is not permitted by the patient.</Description> - <Target> - <Resources> Blacklisted Organizations - <Resource> - <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:reso Confidentiality/Sensitive Data urce:hl7:type:medical-record</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> Selected Provider – Role Based Denial </Resource> Patient Policy </Resources> </Target> - <Rule Effect="Deny" RuleId="urn:oasis:names:tc:xspa:1.0:patient:dissenting:roles:deny"> Selected Provider – Unique ID Based Denial <Description>Evaluates the dissenting-role (if available) against the subject's role.</Description> <Target /> - <Condition> Data Redaction – Provider Role - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" /> Data Redaction – Provider Unique Identifier <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" /> Demonstrated </Apply> </Apply> Advanced Concepts Genomics </Condition> of Obligations </Rule> </Policy> 44
Demonstration Videos Use Case Examples Patient Privacy – Clinical Data Masking http://www.youtube.com/watch?v=RKbAtmgWGz4 Health Care Organization Policy – Emergency Treatment http://www.youtube.com/watch?v=8aA2Uy6IsQs Protecting the Human Genome http://www.youtube.com/watch?v=A3HtXCu2sa8 Overviews XSPA Technology Overview – Part 1 http://www.youtube.com/watch?v=fQQRwnbg-IE XSPA Technology Overview – Part 2a http://www.youtube.com/watch?v=TvHt9Yz2ekk XSPA Technology Overview – Part 2b http://www.youtube.com/watch?v=3IZvVDNvmiU *Larger videos are available for viewing at: http://www.ascendahealthcare.com/himss2009.html 45
Next Steps  OASIS Reference Model  OASIS Certification  XSPA Profile of WS-Trust  OASIS XACML Ontology  OASIS Privacy Management Reference Model (PMRM)  INCITS (Next Gen RBAC)  ISO Purpose of Use  OASIS XSPA Submission to ITU  SOA PASS Audit  IHE XUA++ 46
Lessons Learned  Need for strong level of assurance between the consumer's identity and health record identity (potentially at multiple locations)  Need national guidance for the use of electronic signature in consent directives  Need for more effort in back office: security and privacy management: role assignment, policy writing, provisioning, etc. 47
Summary 48
HL7 Access Control Service Framework 49
Summary  Core standards are in place and new standards are under development to meet gaps  Vendors have demonstrated the ability to implement: • Multiple vendors demonstrated at several InterOps QUESTIONS? • “no cost” solutions available today from NHIN CONNECT: http://www.connectopensource.org/partners/Jericho% 20Systems%20Corporation  VA is implementing advanced security and privacy capabilities in NHIN projects: • Kaiser Permanente and DoD • Plans to participate in Beacon Communities NHIN=Nationwide Health Information Network 50

Recommended

Security and Privacy in SharePoint 2010: Healthcare
Security and Privacy in SharePoint 2010: HealthcareSecurity and Privacy in SharePoint 2010: Healthcare
Security and Privacy in SharePoint 2010: HealthcareMarie-Michelle Strah, PhD
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceMarie-Michelle Strah, PhD
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceMarie-Michelle Strah, PhD
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
 
Solix EDMS Data Masking
Solix EDMS Data MaskingSolix EDMS Data Masking
Solix EDMS Data MaskingSolix Technologies, Inc.
 
Securityinsideout
SecurityinsideoutSecurityinsideout
Securityinsideoutgueste69f645
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenThuan Ng
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsJeremy Hilton
 

Recommended

Security and Privacy in SharePoint 2010: Healthcare
Security and Privacy in SharePoint 2010: HealthcareSecurity and Privacy in SharePoint 2010: Healthcare
Security and Privacy in SharePoint 2010: HealthcareMarie-Michelle Strah, PhD
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceMarie-Michelle Strah, PhD
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceMarie-Michelle Strah, PhD
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
 
Solix EDMS Data Masking
Solix EDMS Data MaskingSolix EDMS Data Masking
Solix EDMS Data MaskingSolix Technologies, Inc.
 
Securityinsideout
SecurityinsideoutSecurityinsideout
Securityinsideoutgueste69f645
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenThuan Ng
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsJeremy Hilton
 
Stealth solution for healthcare
Stealth solution for healthcareStealth solution for healthcare
Stealth solution for healthcarePeter de Bruijn
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanationindianadvisory
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloudtcarrucan
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinalAlan Hartman
 
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...privacypros
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Oracle a TBIZ2011
Oracle a TBIZ2011Oracle a TBIZ2011
Oracle a TBIZ2011TechnologyBIZ
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraORACLE USER GROUP ESTONIA
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protectionproitsolutions
 
HIPAA Breach Notification Map
HIPAA Breach Notification MapHIPAA Breach Notification Map
HIPAA Breach Notification MapInfinisource
 
Nihitha raj corrected
Nihitha raj correctedNihitha raj corrected
Nihitha raj correctednihitharaj
 
My clinic presentation
My clinic presentationMy clinic presentation
My clinic presentationMyclinic Amadeus
 
سر مسحة المرضى 1
سر مسحة المرضى 1سر مسحة المرضى 1
سر مسحة المرضى 1gamal thabet
 
Policy - private health sector
Policy - private health sectorPolicy - private health sector
Policy - private health sectorDr Ghaiath Hussein
 
مدخل إلى أخلاقيات الطبيب المسلم
مدخل إلى أخلاقيات الطبيب المسلممدخل إلى أخلاقيات الطبيب المسلم
مدخل إلى أخلاقيات الطبيب المسلمDr Ghaiath Hussein
 
المرأة في المجلس ومرضى السرطان
المرأة في المجلس ومرضى السرطانالمرأة في المجلس ومرضى السرطان
المرأة في المجلس ومرضى السرطانMarwah Hassounah
 
Privacy and Security Tiger Team 010813
Privacy and Security Tiger Team 010813Privacy and Security Tiger Team 010813
Privacy and Security Tiger Team 010813Brian Ahier
 
Student seminar-سرية معلومات المرضى
Student seminar-سرية معلومات المرضىStudent seminar-سرية معلومات المرضى
Student seminar-سرية معلومات المرضىDr Ghaiath Hussein
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 

More Related Content

What's hot

Stealth solution for healthcare
Stealth solution for healthcareStealth solution for healthcare
Stealth solution for healthcarePeter de Bruijn
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanationindianadvisory
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloudtcarrucan
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinalAlan Hartman
 
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...privacypros
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraORACLE USER GROUP ESTONIA
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protectionproitsolutions
 

What's hot (12)

Stealth solution for healthcare
Stealth solution for healthcareStealth solution for healthcare
Stealth solution for healthcare
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanation
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security Mapping
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloud
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinal
 
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
Interconnected Health 2012 Examining The Privacy Considerations For Secondary...
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010
 
Oracle a TBIZ2011
Oracle a TBIZ2011Oracle a TBIZ2011
Oracle a TBIZ2011
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi Tara
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
 

Viewers also liked

HIPAA Breach Notification Map
HIPAA Breach Notification MapHIPAA Breach Notification Map
HIPAA Breach Notification MapInfinisource
 
Nihitha raj corrected
Nihitha raj correctedNihitha raj corrected
Nihitha raj correctednihitharaj
 
سر مسحة المرضى 1
سر مسحة المرضى 1سر مسحة المرضى 1
سر مسحة المرضى 1gamal thabet
 
Policy - private health sector
Policy - private health sectorPolicy - private health sector
Policy - private health sectorDr Ghaiath Hussein
 
مدخل إلى أخلاقيات الطبيب المسلم
مدخل إلى أخلاقيات الطبيب المسلممدخل إلى أخلاقيات الطبيب المسلم
مدخل إلى أخلاقيات الطبيب المسلمDr Ghaiath Hussein
 
المرأة في المجلس ومرضى السرطان
المرأة في المجلس ومرضى السرطانالمرأة في المجلس ومرضى السرطان
المرأة في المجلس ومرضى السرطانMarwah Hassounah
 
Privacy and Security Tiger Team 010813
Privacy and Security Tiger Team 010813Privacy and Security Tiger Team 010813
Privacy and Security Tiger Team 010813Brian Ahier
 
Student seminar-سرية معلومات المرضى
Student seminar-سرية معلومات المرضىStudent seminar-سرية معلومات المرضى
Student seminar-سرية معلومات المرضىDr Ghaiath Hussein
 
برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...
برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...
برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...Amadeus Petra
 
TURAMED - Medical Tourism Germany - Arabic Booklet
TURAMED - Medical Tourism Germany - Arabic BookletTURAMED - Medical Tourism Germany - Arabic Booklet
TURAMED - Medical Tourism Germany - Arabic BookletTURAMED GmbH
 
The Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksThe Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksHealth Catalyst
 
Lecture 9&10 patients rights (13.3.2017)
Lecture 9&10 patients rights (13.3.2017)Lecture 9&10 patients rights (13.3.2017)
Lecture 9&10 patients rights (13.3.2017)Dr Ghaiath Hussein
 
سلامة المرضى
سلامة المرضىسلامة المرضى
سلامة المرضىmsebaey
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Powerpoint on electronic health record lab 1
Powerpoint on electronic health record lab 1Powerpoint on electronic health record lab 1
Powerpoint on electronic health record lab 1nephrology193
 

Viewers also liked (20)

HIPAA Breach Notification Map
HIPAA Breach Notification MapHIPAA Breach Notification Map
HIPAA Breach Notification Map
 
Nihitha raj corrected
Nihitha raj correctedNihitha raj corrected
Nihitha raj corrected
 
My clinic presentation
My clinic presentationMy clinic presentation
My clinic presentation
 
سر مسحة المرضى 1
سر مسحة المرضى 1سر مسحة المرضى 1
سر مسحة المرضى 1
 
Policy - private health sector
Policy - private health sectorPolicy - private health sector
Policy - private health sector
 
مدخل إلى أخلاقيات الطبيب المسلم
مدخل إلى أخلاقيات الطبيب المسلممدخل إلى أخلاقيات الطبيب المسلم
مدخل إلى أخلاقيات الطبيب المسلم
 
المرأة في المجلس ومرضى السرطان
المرأة في المجلس ومرضى السرطانالمرأة في المجلس ومرضى السرطان
المرأة في المجلس ومرضى السرطان
 
Privacy and Security Tiger Team 010813
Privacy and Security Tiger Team 010813Privacy and Security Tiger Team 010813
Privacy and Security Tiger Team 010813
 
Student seminar-سرية معلومات المرضى
Student seminar-سرية معلومات المرضىStudent seminar-سرية معلومات المرضى
Student seminar-سرية معلومات المرضى
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...
برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...
برنامج ادارة العيادات و المراكز الطبية ماي كلينك - MyClinic Clinic Managemen...
 
TURAMED - Medical Tourism Germany - Arabic Booklet
TURAMED - Medical Tourism Germany - Arabic BookletTURAMED - Medical Tourism Germany - Arabic Booklet
TURAMED - Medical Tourism Germany - Arabic Booklet
 
The Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksThe Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security Frameworks
 
Lecture 9&10 patients rights (13.3.2017)
Lecture 9&10 patients rights (13.3.2017)Lecture 9&10 patients rights (13.3.2017)
Lecture 9&10 patients rights (13.3.2017)
 
Laboratory safety
Laboratory safetyLaboratory safety
Laboratory safety
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
سلامة المرضى
سلامة المرضىسلامة المرضى
سلامة المرضى
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
Powerpoint on electronic health record lab 1
Powerpoint on electronic health record lab 1Powerpoint on electronic health record lab 1
Powerpoint on electronic health record lab 1
 
How will the Internet of Things look by 2025?
How will the Internet of Things look by 2025?How will the Internet of Things look by 2025?
How will the Internet of Things look by 2025?
 

Similar to NHIN Privacy & Security

"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012Collaborative Health Consortium
 
Development_data_standards_data_integration_tools
Development_data_standards_data_integration_toolsDevelopment_data_standards_data_integration_tools
Development_data_standards_data_integration_toolsRafael Romero
 
Himss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanjiHimss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanjiFeisal Nanji
 
Anthony J brookes
Anthony J brookesAnthony J brookes
Anthony J brookesEduserv
 
Current ONC Standards Activities
Current ONC Standards ActivitiesCurrent ONC Standards Activities
Current ONC Standards ActivitiesJitin Asnaani
 
Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...
Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...
Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...Kumar Satyam
 
Regulatory Intelligence
Regulatory IntelligenceRegulatory Intelligence
Regulatory IntelligenceArmin Torres
 
Tag Health presents John W. Loonsk, MD
Tag Health presents John W. Loonsk, MDTag Health presents John W. Loonsk, MD
Tag Health presents John W. Loonsk, MDMelanie Brandt
 
T A G Health Loonsk V2
T A G Health Loonsk V2T A G Health Loonsk V2
T A G Health Loonsk V2Melanie Brandt
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach Symantec
 
Health Information Exchange - Trial Implementation Options
Health Information Exchange - Trial Implementation OptionsHealth Information Exchange - Trial Implementation Options
Health Information Exchange - Trial Implementation OptionsHealth Informatics New Zealand
 
Healthcare Interoperability
Healthcare InteroperabilityHealthcare Interoperability
Healthcare InteroperabilityJarod Ferguson
 
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Richard Moore
 
NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...
NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...
NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...Hafez Kamal
 
Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...
Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...
Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...Health IT Conference – iHT2
 
Imaging evolution-himss-middle east09-v5.0
Imaging evolution-himss-middle east09-v5.0Imaging evolution-himss-middle east09-v5.0
Imaging evolution-himss-middle east09-v5.0Rex Osborn
 

Similar to NHIN Privacy & Security (20)

"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
 
Development_data_standards_data_integration_tools
Development_data_standards_data_integration_toolsDevelopment_data_standards_data_integration_tools
Development_data_standards_data_integration_tools
 
Himss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanjiHimss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanji
 
Anthony J brookes
Anthony J brookesAnthony J brookes
Anthony J brookes
 
Current ONC Standards Activities
Current ONC Standards ActivitiesCurrent ONC Standards Activities
Current ONC Standards Activities
 
Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...
Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...
Presentation on Healthcare Interoperability at AEA, delhi chapter meeting 27t...
 
Regulatory Intelligence
Regulatory IntelligenceRegulatory Intelligence
Regulatory Intelligence
 
Tag Health Loonsk V2
Tag Health Loonsk V2Tag Health Loonsk V2
Tag Health Loonsk V2
 
Tag Health presents John W. Loonsk, MD
Tag Health presents John W. Loonsk, MDTag Health presents John W. Loonsk, MD
Tag Health presents John W. Loonsk, MD
 
Tag Health 3-25
Tag Health 3-25Tag Health 3-25
Tag Health 3-25
 
T A G Health Loonsk V2
T A G Health Loonsk V2T A G Health Loonsk V2
T A G Health Loonsk V2
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach
 
Health Information Exchange - Trial Implementation Options
Health Information Exchange - Trial Implementation OptionsHealth Information Exchange - Trial Implementation Options
Health Information Exchange - Trial Implementation Options
 
Healthcare Interoperability
Healthcare InteroperabilityHealthcare Interoperability
Healthcare Interoperability
 
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
 
NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...
NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...
NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentes...
 
Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...
Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...
Case Study “Business Intelligence: Supporting Delivery of High Quality Care a...
 
Imaging evolution-himss-middle east09-v5.0
Imaging evolution-himss-middle east09-v5.0Imaging evolution-himss-middle east09-v5.0
Imaging evolution-himss-middle east09-v5.0
 

More from Brian Ahier

AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study Brian Ahier
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slidesBrian Ahier
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...Brian Ahier
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyBrian Ahier
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsBrian Ahier
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataBrian Ahier
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking SeminarBrian Ahier
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateBrian Ahier
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBrian Ahier
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Brian Ahier
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaBrian Ahier
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Brian Ahier
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13Brian Ahier
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingBrian Ahier
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a TimeBrian Ahier
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health DataBrian Ahier
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesBrian Ahier
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsBrian Ahier
 

More from Brian Ahier (20)

Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
 
Future is Now
Future is NowFuture is Now
Future is Now
 
AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slides
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT Policy
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft Recommendations
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking Seminar
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA Update
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification Criteria
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder Meeting
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a Time
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health Data
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse Directories
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory Pilots
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

NHIN Privacy & Security

  • 1. Implementing Advanced Security and Privacy in the Nationwide Health Information Network (NHIN) Presentation to Health Information Technology Policy and Standards Committees John (Mike) Davis David Staggs (SAIC) June 17, 2010 Department of Veterans Affairs
  • 2. Agenda Introduction Foundations Implementation Demonstration Summary 2
  • 3. Virtual Lifetime Electronic Record On April 9, 2009, President Obama directed the Department of Defense and the Department of Veterans Affairs to create the Virtual Lifetime Electronic Record: “… will ultimately contain administrative and medical information from the day an individual enters military service throughout their military career and after they leave the military.” -President Barack Obama 3
  • 4. Virtual Lifetime Electronic Record Strategy  Allow health care providers access to Servicemembers’ and Veterans’ health records, in a secure and authorized way, regardless of whether care is delivered in the private sector, by Department of Defense (DoD), or VA  More efficient, effective, and timely than creating a single DoD/VA system – Builds on existing DoD and VA Electronic Health Record capabilities – Solves the need to share information with the private sector – Not a large acquisition program – Avoids obsolescence as Electronic Health Record systems modernize 4
  • 5. Business Case for Health Information Sharing Nationwide Health Information Network: San Diego Project News Report  Electronic processes replace paper-based health information requests saving weeks or months  Advanced security and privacy mechanisms ensure appropriate access to patient records  Patients have the option to allow or prevent sharing of some of their information 5
  • 6. NHIN San Diego Physical Deployment (To-Be) ADI=Access Control Decision Information CDS=Clinical Data Services HDR=Health Data Repository MPI=Master Patient Index NHIN=Nationwide Health Information Network PDP=Policy Decision Point PEP=Policy Enforcement Point ROI=Release of Information RPC=Remote Procedure Call WS=Web Services XACML=eXtensible Access Control Markup Language 6
  • 7. View of Summary of Care Record (C32) 7
  • 9. Bottom Up Innovation Within a Coordination Framework * Today’s story is built on the backbone of a coordination framework applied to security and privacy * Interoperability Framework Overview, Douglas Fridsma, MD, PhD, March 24, 2010 9
  • 10. Top Health Care System Security Requirements  Security and privacy infrastructure for end-to-end data sharing  High-assurance person identifiers across federated domains  Organizational and personal policy enforcement  User accountability for potential security events (audit)  Security assurance, interoperability through standards, common processes, and system certification 10
  • 11. Patient Privacy Requirements Key Concept: Enforce both Consumer and Enterprise Privacy policy with Common Security Services  Enforcing consumer privacy policy is a security concern  Agreement to enforce privacy is a business decision/contract with consumer  Basic consumer privacy policies both control access and constrain security 11
  • 12. Web of Standards and Related Organizations •Certification Profiles NHIN •NHIN Updates HL7 CCHIT •Health care IHE Profiles OASIS •CDA Consent Directive ASTM •Healthcare Functional Role Standard CPP Access Control •SAML, XACML, WS- •SOA Security and Privacy •Security/Privacy Info ModelsSystem Trust Profiles •Privacy Confidentiality Codes •Privilege Management •HL7 Service Aware Architecture •Structural Roles ISO HITSP •Authorization/Privacy via US TAG Preference standards and Mike Davis Interface Specifications •Privilege Management Office of Health Information, Security Architect •Structural and Functional ANSI- Roles, +++ April 20, 2010 INCITS Text Color Key NIST Demos •Standards •RBAC Standard •RBAC Implementation •FIPS/Special •Models/Draft standards Publications CDA=Clinical Document Architecture ISO=International Standards Organization SAML=Security Assertion Markup Language FIPS=Federal Information Processing Standard NIST=National Institute of Standards & Technology SOA=Service Oriented Architecture HL7=Health Level 7 OASIS=Organization for the Advancement of Structured XACML=eXtensible Access Control Markup Language HITSP=Healthcare Information Technology Information Standards Standards Panel RBAC=Role Based Access Control NHIN=Nationwide Health Information Network Structured Information Standards 12
  • 13. Leveraging Standards Organizations Key Concept: Meet interoperability requirements with standards, their profiles, and shared information models 1/08 1/09 1/10 Building Consensus Balloting Standards ASTM=American Society for Testing and Materials OASIS=Organization for the Advancement of Structured Information Standards DHHS=Department of Health and Human Services RBAC=Role Based Access Control HL7=Health Level 7 HITSP=Healthcare Information Technology NHIN=Nationwide Health Information Network 13
  • 14. Conduct Interoperability Demonstrations Key Concept: Validate approach through interoperability demonstrations (reference implementations and testing) • RSA Conference March 2010 – Multi-vendor demonstration of NHIN Connect Security & Privacy • HIMSS Apr 2009 – First end-to- end demonstration of privacy consents and access control • London Conference Oct 2008 – Extensions to the RSA demonstration adding SAML • RSA Conference April 2008 – Multi-vendor demonstration of OASIS XACML profile Clinical roles and permissions: Clinician least privilege Emergency access: Granting extraordinary access during events involving risk of potential death or injury Patient consent directives: Patient driven authorizations to personal health information use and disclosure Health care security policy: Health care specific business rules for application behavior and patient safety HIS=Health Information System XACML= eXtensible Access Control Markup NHIN=Nationwide Health Information Network Language SAML=Security Assertion Markup Language 14
  • 15. Advanced Concept Demonstrations Protecting the Human Genome - RSA 2010 Patient Access Control System PHR Service Patient Policy Patient has ability to view their Genotype Constrains access and determine whether to deny access to to specific AT-RISK PIP all or portions of it. SNPs based on Policy characteristics and/or disease PDP PEP grouping Provider Request for Constraints Patients genotype Assertion Consumption Visibility To Patient Clinical Obligation Adaptive Services Response XSPA Enabled Service Provider Continuous Re-validation of Patient Policy Intent Original Mapping Genome Wide Association Studies Service Patient’s GWAS Genotype New diseases and GWAS=Genome-wide Association Study characteristics PDP=Policy Decision Point are mapped PEP=Policy Enforcement Point PHR=Patient Health Record Multiple Organizations PIP=Policy Information Point Contribute Findings SNIP=Single Nucleotide Polymorphism XSPA=Cross-enterprise Security and Privacy Authorization Trusted/Clinically relevant providers 15
  • 16. Global Participants System and Participant Locations RSA 2008 – San Francisco, CA Oasis XACML InterOp Demonstration – Ditton Manor, London, UK HIMSS 2009 – Chicago, IL RSA 2010 – San Francisco, CA 16
  • 18. Reference Model Overview GW=Gateway PEP=Policy Enforcement Point ROI=Release of Information Office 18
  • 19. Consumer Privacy & eConsent 19
  • 20. Wife of a Wounded Warrior Sarah Wade Video: http://www.youtube.com/watch?v=wrgHtc5DKIM Testimony: http://veterans.house.gov/hearings/Testimony.aspx?TID=598 28&Newsid=567&Name=%20Sarah%20%20Wade 20
  • 21. Veteran eConsent Task Goal • Provide Veterans with a simple way to create, electronically sign, and communicate their personal privacy preferences: • From their home, at a VA Hospital Kiosk, or anywhere else • To encourage and support participation in NHIN • Replace cumbersome paper-based systems • Meet ONC Consumer Preference Requirements • Veterans are VA’s consumers, but goals apply equally to all NHIN providers NHIN=Nationwide Health Information Network ONC=Office of the National Coordinator 21
  • 22. Meet ONC Consumer Preferences Requirements Consumers should be able to: Define permissions for who is permitted to access information Express how their health information would be made available Authorize release of their health information Establish various types of consumer preferences (consents, advance directives, etc.) Define privacy preference conditions including:  By type of information (all data, segmentation of data)  By role and criteria based access, including type of encounter, embargoed records (VIP, legal restrictions)  By time (start, end, duration)  By level of participation (opt-in, opt-out, with or without additional classifications, with or without additional Fully meets granularity) NHIN=Nationwide Health Information Network Partially meets  By purpose of use ONC=Office of the National Coordinator VIP=Very Important Person Does not meet 22
  • 23. Patient Viewpoint (to-be) Consent Directive 23
  • 24. VA Forms Supporting eConsent Policies 24
  • 25. eConsent Signature Service Framework Electronic Forms Signature Repository Service  Approval Authentication Demographic Service 1 2 Service User Input 3 Signature is Veteran bound to Patient document 25
  • 26. Leverages HL7 Consent Directive Analysis Model - allow/disallow action Medical Record - purpose of Privacy Policy Reference consent Reference - effective period - Patient Identification - additional - Medical Record conditions Identification Action Specification - hierarchy of operations applied to information Information Sender Health Information Affected - Organization - Related to a diagnosis Information - Data Sensitivity Receiver - Coverage Type - Role - Type of information (e.g., - Identity results) 26
  • 28. Release Of Information (ROI) Consent Reconciliation 28
  • 29. 29
  • 30. Consumer Preferences Selection (To-Be)–Initiate/Revoke MHV=MyHealtheVet ROI=Release of Information VAMC=VA Medical Center 30
  • 32. Security Management  Provide control and management of security mechanisms providing security services  Control and provision of enterprise security policy identity and authorizations (IAM) and other security information  Generate configuration data, cryptographic keys  Provide security management for logging of security relevant events, recovery and support for breach reporting 32
  • 33. Assigning and Provisioning Roles AUDIOLOGIST Anesthetist (CRNA) 022 MD/Allopath 001 Audiologist 309418004 011 Licensed 023 Naturopath (NP) DENTAL Vocational Nurse 024 Pathologist 61207006 002 Dental 26042002 (LVN)/ Licensed 025 Podiatrist 159034004 Hygienist/Registered Practical Nurse (DPM) Dental Hygienist (LPN) 026 Psychiatrist 80584001 (RDH) 012 Nurse Midwife 027 Radiologist 66862007 003 Dentist 106289002 (NM) 028 Physician 004 Oral Surgeon 49993003 013 Nurse 224571005 Assistant (PA) DIETITIAN (RD) Practitioner (NP) 029 Psychologist 59944000 005 Dietitian (RD) 159033005 014 Registered 224535009 030 Social Worker NON-WESTERN Nurse (RN) (LCSW) 106328005 MEDICINE OPTOMETRIST 031 Speech PROVIDERS (OD) Pathologist 006 Certified 015 Optometrist 28229004 Acupuncturist (CA) (OD) 007 Licensed PHARMACIST ASTM E1986-2009 Massage Therapist 016 Pharmacist (LMT)/ Registered 46255001 (Includes 166 Codes) Massage Therapist 017 Pharmacist, 159011008 (RMT) Apothecary NURSE 018 Pharmacist, 159010009 008 Nurse 224569005 Clinical Corresponding 009 Clinical Nurse PHYSICIAN SNOMED CT Code Specialist (CNS) 019 Chiropractor 3842006 106292003 (DC) 010 Clinical 405278004 020 Osteopath (DO) 76231001 Registered Nurse 021 Homeopath 33
  • 34. VA Identity and Access Management Identity Proofing – Standardized Proofing Process Correlate & Proofing Service BIRLS Store Provider Proofing LMS Repository Veterans Other Sources PIV (SSA, OPM, etc.) VADIR Identity Proofing Process Beneficiaries Verify & Provide PAID Administer Check Capture Identity Identity Identity Identity Information Healthe -Vet Employees VA Trusted Agent Vista MPI Contractors VIC Card E- Issuance Benefits Process ETA/ PIV Card IFCAP Affiliates Veterans & Process Smith, Patricia Beneficiaries PIV E-Auth Employees, Credentialing Contractors, Process & Affiliates BIRLS=Beneficiary Identification and Records LMS=Learning Management System VADIR=VA/DoD Identity Repository Locator System MPI=Master Patient Index VIC=Veteran Identity Care eBenefits=Electronic Benefits PAID=Personal and Accounting Integrated Data VISTA=Veterans Health Information Systems and ETA/IFCAP=Integrated Funds Control, Accounting, System Technology Architecture and Procurement PIV=Personal Identity Verification 34
  • 36. Consumer Preferences and Policy (CPP) SOA High-Level Framework HITSP TP20 Access Control, TP30 Manage Consent Directives, OASIS XSPA SAML, WS-TRUST HITSP=Healthcare Information Technology TP=Transaction Package Standards Panel XACML=eXtensible Access Control Markup Language OASIS=Organization for the Advancement of Structured Information Standards SAML=Security Assertion Markup Language 36
  • 37. OASIS XSPA SAML Attribute Assertion Attributes use to enforce security and privacy in an XSPA cross-enterprise exchange of patient data Organization Location SubjectID Purpose of Use Role (S) Role (F) Permission 1 {Action, Object} (User) (POU) Permission 2 {Action, Object} POU Permission 3 {Action, Object} POU Permission …N {Action, Object} Functional Role Described in XSPA Refer to Unique identifier profiles and mutually Structural Role ANSI-INCITS 359-2004 Compliant specific to a given agreed upon by Refer to [HL7-PERM] entity. participating entities. [ASTM E1986-98 (2005)] 37
  • 38. Implemented Security and Privacy Policies • Demonstrate the Enforcement of Patient Consent Directives • Opt-In / Opt-Out • Deny Access based on Organizations • Deny Access based on Role • Deny Access based on Purpose of Use* • Deny Access to Specific Providers • Mask C32 Results based on Role (future release)** • Mask C32 Results for Specific Providers (future release)** • Mask C32 Results based on data sensitivity (not supported) • Demonstrate the Enforcement of Organizational Policies • Limit access to specific organizations • Limit access during specific hours of the day • Require certain roles based on purpose of use and service requested • Require certain permissions based on purpose of use and service requested * Demonstration only. Current model is single purpose of use **Future capability. Requires ability of Adaptor to accept obligation 37
  • 39. Current State  Nationwide Health Information Network Connect provides a basic Policy Decision Point (PDP) • Jericho Systems PDP with 12 pre-filled policies • Used in interoperability demonstrations  Can be used to deploy, test, and benchmark any provider’s solution 39
  • 41. Advanced Technology Demonstration Clinicians request patient information with access control enforced by security and privacy policies Can constrain access to many Cross-domain patient types of health care objects Discovery menu Clinical Summary (below) reflects provider domain’s security and privacy policies 41
  • 42. Advanced Technology Demonstration (Provider) Recent standards allow patients and organizations improved security and privacy control over medical records Patient must opt-In before their record is exchanged Patient can constrain the domains that have access to their records Patient can set general restrictions through use of HL7 Confidentiality Codes Patient can set specific restrictions to specific roles based on Purpose of Use, or Constrain Access of Specific Providers Patient can mask specific portions of the medical record on Role or a Specific Provider 42
  • 43. Advanced Technology Demonstration (Requester) Clinicians now have access to patients’ records with appropriate access control enforced by both domains. User may assert Purpose of Use as Emergency Treatment. Cross-domain patient Discovery menu 43
  • 44. XACML Policy Examples - Patient Denial based on subjects ASTM structured role: <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting:role" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny- overrides"> Opt-IN <Description>Denies the request from the subject if their role is not permitted by the patient.</Description> - <Target> - <Resources> Blacklisted Organizations - <Resource> - <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:reso Confidentiality/Sensitive Data urce:hl7:type:medical-record</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> Selected Provider – Role Based Denial </Resource> Patient Policy </Resources> </Target> - <Rule Effect="Deny" RuleId="urn:oasis:names:tc:xspa:1.0:patient:dissenting:roles:deny"> Selected Provider – Unique ID Based Denial <Description>Evaluates the dissenting-role (if available) against the subject's role.</Description> <Target /> - <Condition> Data Redaction – Provider Role - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" /> Data Redaction – Provider Unique Identifier <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" /> Demonstrated </Apply> </Apply> Advanced Concepts Genomics </Condition> of Obligations </Rule> </Policy> 44
  • 45. Demonstration Videos Use Case Examples Patient Privacy – Clinical Data Masking http://www.youtube.com/watch?v=RKbAtmgWGz4 Health Care Organization Policy – Emergency Treatment http://www.youtube.com/watch?v=8aA2Uy6IsQs Protecting the Human Genome http://www.youtube.com/watch?v=A3HtXCu2sa8 Overviews XSPA Technology Overview – Part 1 http://www.youtube.com/watch?v=fQQRwnbg-IE XSPA Technology Overview – Part 2a http://www.youtube.com/watch?v=TvHt9Yz2ekk XSPA Technology Overview – Part 2b http://www.youtube.com/watch?v=3IZvVDNvmiU *Larger videos are available for viewing at: http://www.ascendahealthcare.com/himss2009.html 45
  • 46. Next Steps  OASIS Reference Model  OASIS Certification  XSPA Profile of WS-Trust  OASIS XACML Ontology  OASIS Privacy Management Reference Model (PMRM)  INCITS (Next Gen RBAC)  ISO Purpose of Use  OASIS XSPA Submission to ITU  SOA PASS Audit  IHE XUA++ 46
  • 47. Lessons Learned  Need for strong level of assurance between the consumer's identity and health record identity (potentially at multiple locations)  Need national guidance for the use of electronic signature in consent directives  Need for more effort in back office: security and privacy management: role assignment, policy writing, provisioning, etc. 47
  • 48. Summary 48
  • 49. HL7 Access Control Service Framework 49
  • 50. Summary  Core standards are in place and new standards are under development to meet gaps  Vendors have demonstrated the ability to implement: • Multiple vendors demonstrated at several InterOps QUESTIONS? • “no cost” solutions available today from NHIN CONNECT: http://www.connectopensource.org/partners/Jericho% 20Systems%20Corporation  VA is implementing advanced security and privacy capabilities in NHIN projects: • Kaiser Permanente and DoD • Plans to participate in Beacon Communities NHIN=Nationwide Health Information Network 50